Security update for sqlite3 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:1455-1 Final 1 1 2025-05-07T15:13:56Z current 2025-05-07T15:13:56Z 2025-05-07T15:13:56Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for sqlite3 This update for sqlite3 fixes the following issues: - CVE-2025-3277,CVE-2025-29087: Fixed integer overflow in sqlite concat function (bsc#1241020) - CVE-2025-29088: Fixed integer overflow through the SQLITE_DBCONFIG_LOOKASIDE component (bsc#1241078) Other fixes: - Updated to version 3.49.1 from Factory (jsc#SLE-16032) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-Azure-BYOS-2025-1455,Image SLES12-SP5-Azure-HPC-BYOS-2025-1455,Image SLES12-SP5-Azure-HPC-On-Demand-2025-1455,Image SLES12-SP5-Azure-SAP-BYOS-2025-1455,Image SLES12-SP5-Azure-SAP-On-Demand-2025-1455,Image SLES12-SP5-Azure-Standard-On-Demand-2025-1455,SUSE-2025-1455,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-1455 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20251455-1/ Link for SUSE-SU-2025:1455-1 https://lists.suse.com/pipermail/sle-security-updates/2025-May/020804.html E-Mail link for SUSE-SU-2025:1455-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1241020 SUSE Bug 1241020 https://bugzilla.suse.com/1241078 SUSE Bug 1241078 https://bugzilla.suse.com/1241189 SUSE Bug 1241189 https://www.suse.com/security/cve/CVE-2025-29087/ SUSE CVE CVE-2025-29087 page https://www.suse.com/security/cve/CVE-2025-29088/ SUSE CVE CVE-2025-29088 page https://www.suse.com/security/cve/CVE-2025-3277/ SUSE CVE CVE-2025-3277 page Image SLES12-SP5-Azure-BYOS Image SLES12-SP5-Azure-HPC-BYOS Image SLES12-SP5-Azure-HPC-On-Demand Image SLES12-SP5-Azure-SAP-BYOS Image SLES12-SP5-Azure-SAP-On-Demand Image SLES12-SP5-Azure-Standard-On-Demand SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libsqlite3-0-3.49.1-9.33.1 sqlite3-tcl-3.49.1-9.33.1 sqlite3-3.49.1-9.33.1 libsqlite3-0-32bit-3.49.1-9.33.1 libsqlite3-0-64bit-3.49.1-9.33.1 sqlite3-devel-3.49.1-9.33.1 sqlite3-doc-3.49.1-9.33.1 libsqlite3-0-3.49.1-9.33.1 as a component of Image SLES12-SP5-Azure-BYOS sqlite3-tcl-3.49.1-9.33.1 as a component of Image SLES12-SP5-Azure-BYOS libsqlite3-0-3.49.1-9.33.1 as a component of Image SLES12-SP5-Azure-HPC-BYOS sqlite3-tcl-3.49.1-9.33.1 as a component of Image SLES12-SP5-Azure-HPC-BYOS libsqlite3-0-3.49.1-9.33.1 as a component of Image SLES12-SP5-Azure-HPC-On-Demand sqlite3-tcl-3.49.1-9.33.1 as a component of Image SLES12-SP5-Azure-HPC-On-Demand libsqlite3-0-3.49.1-9.33.1 as a component of Image SLES12-SP5-Azure-SAP-BYOS sqlite3-3.49.1-9.33.1 as a component of Image SLES12-SP5-Azure-SAP-BYOS sqlite3-tcl-3.49.1-9.33.1 as a component of Image SLES12-SP5-Azure-SAP-BYOS libsqlite3-0-3.49.1-9.33.1 as a component of Image SLES12-SP5-Azure-SAP-On-Demand sqlite3-3.49.1-9.33.1 as a component of Image SLES12-SP5-Azure-SAP-On-Demand sqlite3-tcl-3.49.1-9.33.1 as a component of Image SLES12-SP5-Azure-SAP-On-Demand libsqlite3-0-3.49.1-9.33.1 as a component of Image SLES12-SP5-Azure-Standard-On-Demand sqlite3-tcl-3.49.1-9.33.1 as a component of Image SLES12-SP5-Azure-Standard-On-Demand libsqlite3-0-3.49.1-9.33.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libsqlite3-0-32bit-3.49.1-9.33.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 sqlite3-3.49.1-9.33.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 sqlite3-devel-3.49.1-9.33.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 sqlite3-tcl-3.49.1-9.33.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory. CVE-2025-29087 Image SLES12-SP5-Azure-BYOS:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-BYOS:sqlite3-tcl-3.49.1-9.33.1 Image SLES12-SP5-Azure-HPC-BYOS:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-HPC-BYOS:sqlite3-tcl-3.49.1-9.33.1 Image SLES12-SP5-Azure-HPC-On-Demand:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-HPC-On-Demand:sqlite3-tcl-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-BYOS:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-BYOS:sqlite3-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-BYOS:sqlite3-tcl-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-On-Demand:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-On-Demand:sqlite3-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-On-Demand:sqlite3-tcl-3.49.1-9.33.1 Image SLES12-SP5-Azure-Standard-On-Demand:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-Standard-On-Demand:sqlite3-tcl-3.49.1-9.33.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsqlite3-0-3.49.1-9.33.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsqlite3-0-32bit-3.49.1-9.33.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:sqlite3-3.49.1-9.33.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:sqlite3-devel-3.49.1-9.33.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:sqlite3-tcl-3.49.1-9.33.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251455-1/ https://www.suse.com/security/cve/CVE-2025-29087.html CVE-2025-29087 https://bugzilla.suse.com/1241020 SUSE Bug 1241020 In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect. CVE-2025-29088 Image SLES12-SP5-Azure-BYOS:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-BYOS:sqlite3-tcl-3.49.1-9.33.1 Image SLES12-SP5-Azure-HPC-BYOS:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-HPC-BYOS:sqlite3-tcl-3.49.1-9.33.1 Image SLES12-SP5-Azure-HPC-On-Demand:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-HPC-On-Demand:sqlite3-tcl-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-BYOS:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-BYOS:sqlite3-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-BYOS:sqlite3-tcl-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-On-Demand:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-On-Demand:sqlite3-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-On-Demand:sqlite3-tcl-3.49.1-9.33.1 Image SLES12-SP5-Azure-Standard-On-Demand:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-Standard-On-Demand:sqlite3-tcl-3.49.1-9.33.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsqlite3-0-3.49.1-9.33.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsqlite3-0-32bit-3.49.1-9.33.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:sqlite3-3.49.1-9.33.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:sqlite3-devel-3.49.1-9.33.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:sqlite3-tcl-3.49.1-9.33.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251455-1/ https://www.suse.com/security/cve/CVE-2025-29088.html CVE-2025-29088 https://bugzilla.suse.com/1241078 SUSE Bug 1241078 An integer overflow can be triggered in SQLite's `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution. CVE-2025-3277 Image SLES12-SP5-Azure-BYOS:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-BYOS:sqlite3-tcl-3.49.1-9.33.1 Image SLES12-SP5-Azure-HPC-BYOS:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-HPC-BYOS:sqlite3-tcl-3.49.1-9.33.1 Image SLES12-SP5-Azure-HPC-On-Demand:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-HPC-On-Demand:sqlite3-tcl-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-BYOS:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-BYOS:sqlite3-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-BYOS:sqlite3-tcl-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-On-Demand:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-On-Demand:sqlite3-3.49.1-9.33.1 Image SLES12-SP5-Azure-SAP-On-Demand:sqlite3-tcl-3.49.1-9.33.1 Image SLES12-SP5-Azure-Standard-On-Demand:libsqlite3-0-3.49.1-9.33.1 Image SLES12-SP5-Azure-Standard-On-Demand:sqlite3-tcl-3.49.1-9.33.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsqlite3-0-3.49.1-9.33.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libsqlite3-0-32bit-3.49.1-9.33.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:sqlite3-3.49.1-9.33.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:sqlite3-devel-3.49.1-9.33.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:sqlite3-tcl-3.49.1-9.33.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251455-1/ https://www.suse.com/security/cve/CVE-2025-3277.html CVE-2025-3277 https://bugzilla.suse.com/1241189 SUSE Bug 1241189